Identity software f or restricting software supplied throug h 
■ a communication link or the like to be used on one computer - 

and method therefor 



Field of the invention ? , , t Jia 

The present invention relates to protection of commercial software sold £3^ ~J#n 3^, 

through a communication link or the like, and particularly, to protection of such ^ d 
software against unauthorised use. ' 

Background of the invention -tf ~ff<* pef&rM 

Conventionally, software protection methods for protecting commercial 

software products such as programs, multimedia*** software, sold' through a 

communication link, such as telephone line by means of modem , require/ a user 

computer to'instatl a' hardware means which comprises, for instance, decryption keys 

be U^tdhiA program an jjia coafufar* 

and system' therein for to be authenticated by a software 'nmning'tfeereon. Hardware 

means, rather than software means, are being used because software duplication 

facilities are commonly found in personal computers. However, this is extremely 

cumbersome and places a large burden on users and vendors alike. _ > 

ptfce of- 

It is therefore an object of the present invention to provide a Software means to 

p)m of* 

replace the above-mentioned hardware means and which would not be copied by - its 
rightful user 'to someone else. u 

It is therefore another object of the present invention to provide' a m e thod fo r 
de tering unauthorised copying or use of the software means -. 



Summary of the invention 

According to a first embodiment of the present invention, there is provided a 

OA 

central program comprising 1) a program for providing Encrypted Identity 

autMstrt u& of a 

(hereinbelow referred 'as EI program), 2) a program for enabling 1 software 



-r "2- 
product (hereinbelow referred as ES program), 3) a program for authenticating ' computer 

t° 

(hereinbelow referred as AC program). 

The central program is for managing the use of the individual programs therein 
so that the ES program can be protected from being a oGGflsftri hy the. n«p.r Hinvn ly 
thereby preventing it to be copied individually. The EI program is for providing On 

encrypted identity of a user for accessing a network central computer to obtain 

on 

services or software products or alike inwhich a secure operation of a user account for 

payment therefor involved. The AC program is for authenticating the computer on 

1U mil as fortt&a* dorA&r/St<d &f Ut 

which it runs by determining its' hardware and software configuration ' by software a>i*f*for 

means and comparing the result with that required. The ES program is for using the f>q 

authentication result of the AC program and the present of the EI program as ft 

precondition for enabling those software' obtained to ma 'on a computer. 

as far 

It should be noted that in the central program/the ES program is the one which pnfcbw of ^ 

needs protection most whereas the EI program needs least and according to the yj^^- ^/a*4Ji^ 

present invention, the ES program is protected from being unauthorised copied by its CoptM fa tU 

rightful user to someone else lies on the fact that a 'user would not copy a program ^*V»/«*r 

/i.e., the EI program^, which can provide^ the 'user's encrypted identity for using the C0A ^/md 

\iq\$l user's account in obtaining, for eg., network services or software products/ As seen 

from the use of automatic teller machine(ATM) magnetic cards, which although can 

bain hm&k*t^ 
readily' forged, has'proved to be r e markcdly secure. 

According to a second embodiment of the present invention, the central 

program comprising only the EI program' and the ES program 'enables software frv&cts &> be , 

fad btiAg u 
only when the EI program is present on the same computer' which is determined by 

receiving an encrypted identity of the EI program from the same. 

According to the third embodiment, the EI and ES programs are basically 

equivalent such that copying the ES program by its rightful user to someone else is 

equivalent to copying the EI program' thereby preventing the ES program from 

unauthorised copied or use. 




-3- 

/ e 

, Brief dscription of drawing^ 
FIG.l is a block diagram of "central program. 

FIG .2 is a diagrammatic view of a program inwhich a part B thereof being encrypted, 
in RAM space. 



Detailed description of the preferred embodiments p f tffact&) 

The present invention is directed to protecting software' supplied through a 
communication link, and for the sake of simplicity, the following description is directed 
to protection of such software' in a,IBM PC computer. And, the present invention will 
be described under the following headings: 

1) The Central Program. 

2) The Program for providing'Encrypted Identity (EI program). 

faJ/wiw usgof^ produce 

3) The Program fo^ enatning software^CES program). 

mr 

4) The Program for authenticating 'computer (AC program). 

5) Other Embodiments. 



1) The Central Program. 

According to the first embodiment, there is provided a central program which 

being an executable program and can be caused to 1 execution by user by entering its 

b) £y o* rmaitf ^rcQfMl 

filename in DOS environment/ refer to FIG.l which is a block diagram of the central 
program. 

if 

(X) Wft5n a user desires to access a network central computer through a 
communication link, the user has4H=st to caused to.-exeettte. It will request the user to 
e nter a p a ssword which if coincidents with that required, it will send an identity of th e 
user to the central computer . 

T his requirement of user pnssworri is nprpssnry to prevent someone, to access 
th e central computer and use the account of the rightful user without his authorisatio n. 



Then the central program caused the EI program to execute' for providing an 
encrypted identity of the user, that encrypted identity will also be spnd to the central 
computer. The central computer will permit the access^ request from the user if the 
uncryptcd and encrypted id e ntiti e s are consistent with each othe r. 

k) When a running program desires to ( ~ execute - the ES program 'to -enables jk^ 

l^H Authorise 

o peration or it to continue to run, it 1 first prepared an input parameter for indicating 

otffmi 

toihe ES^program such a request and store?' the input parameter in a predetermined 

\ Calt 
location in RAM, then through the use of a PC DOS service'for that purpose, yt cause^ 

the central program to be download from a perman ent — storage, eg. harddisk, of the 

ee mputcr to RAM and be executed. The central program will first access the input 

parameter in the predetermined location and from it the central^ program can 

determine^ that .Jhe' running program 'request^ for an enable s ignal yfrom the ES 

program, and will then cause the ES program to'execute* 1 



* For the case the central program is caused by user to be executed, there will be 
no or no 3talid input parameter and the con^el program can thus know this fact. 



OA 

2) The Program for providing Encrypted Identity (EI program). -fty i$iti^ atct/}&?$fot<c?o 

This program borrows the technique used in IC credit card inwhich an 
encrypted identity is generated for identity authentication . 

When starts, the EI program sends & access request to a* central computer 

- - -- - i^lll 

which in return will send back a random number. The EI program r then encrypt^ the 
random number with a predetermined algorithm Al and senc^s the result to the central 
computer which will permit access if the result is identical with thfe'result it obtained by 
performing the same encryption.^^^ ^ l7 ^ C¥A nUj « kn 

It should be noted that for each user, there is a corresponding respective 

encryption algorithm Al for 'identification o f e ach of them ' and also that the central 

, 'if- It k&v^ correct, 

computer may use the encryption result , if it being correc t, from the EI program 'as a 
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liser authorisation for payment to be made, from a user account for obtaining network 
services or software products or the like. 

aAw&§ Ml*f<L product 
3) The Program for- enabling software^ ES program). 

diMen^ toe &f4~ 

According to the present invention, there are 2 approaches for enabling 

software: astUorfs^ an&*«« 

i) by sending encrypted command£to a running software for enabling operation *' of the 

same on #ie computer by the technique as mentioned 1 in item 2( Specifically, the 

running software' includes in the input parameter, as mentioned above in item 1,' a 

random number it generated; The ES program^ in return * sends the result it obtained by _ . 

beitg owed site exe&JZl tft c&rfmL pr&jrzwtj OS nw&0i&i 

performing a predetermined encryption algorithm A2 on that random number, to the Mv»e </? Ify 

pfo^rtw\ -fa Mutt Mo-ifyr- 

running software 'which will compare* it with the 'result it obtained by performing the 

same encryption- onM wtec 

It should be noted that for each user, each ope of the software' for use on 

his/her computer(s) use a same respective encryption algorithm A2 and the encryption 

algorithm A2 being included into each such ^pfte 1 by the central computer at the time 

when the central computer is to supply the same to the user computer. 

ii) by decrypting a'encrypted part of a software 'or an encrypted software//^ 



It should be noted that if the software^ is a program, then it will be sufficient to 
have a part thereof to be encrypted, for preventing unauthorised copy' and use, 

however, if the software 1 is an audio/visual multimediuro data file, it -wfii be more 

product 

desirable to have the whole software' be encrypted. r ^et 

The decryption of a part of or an entire software' takes place on a temporary 

copy of which in RAM. Given by example only, FIG. 2 is a diagrammatic view of a 

program in RAM space, with a part B thereof being encrypted. As seen, the ES 

& 

program decrypts part b and stores the result which size should be not equivalent to 
that of the encrypted origiTyin 'part B decrypted'. 



-6- 

The ES program then overwrites at the first location of 'part B encrypted' an 
instruction 'JUMP TO part B decrypted' and at the end of 'part B decrypted' appends 
an instruction 'JUMP TO part C. In this way, the encrypted part of the software will 
not be executed and its'degcrypted part will be executed instead. 

In the case of audio/visual multimedium- software, the software will be 
decrypted a small part by a small part and each small part is decrypted at the time it 
is about to be utilized by a audio/visual program for causing audio/visual effect In 
other words, that audio/visual program has to cause the ES program to be executed in 
the manner as described above in item l^everytime it wants a decryption of a small 
part. Desirable, a newly decrypted small part will overwrite a p revious^ de^crypted one 
so that a whole copy of the decrypted software will not exist in RAM. 

IAW 

4) The Program for authenticating ' computer (AC program). 

One object of this program is to prevent the central program from being used , 
if it i£'a copy being made by someone other than the rightful user and of this the 
rightful user being unaware^, so that a rightful user need not guard his computer 
containing the central program from reach of someone else. 

When the central program is 'installed in a harddisk of a user computer and 

executed, it will check d encrypted status information in H'and from which it knows 

this is the first time it being executed and will cause an initialization process to take < 

place. In the initialization process, the central program sends to it central computer' an ltw4»j 

a* 

unencrypted identity of the user, then the AC program requests for A encrypted 
command from % central computer which will provide such fr* encrypted command, in 
the manner as described hereinabove in item 3i, if the user has a valid account or the 
account is not closed. 

After authenticating the command, the AC program determines the hardware 
and software configuration of the user computer, which includes, for eg., running 
speed determination which is a function of CPU frequency, cache memory size etc; 
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4 number and identities of peripherals such as mouse, printer, joystick, harddisk and 
floppy disk drive etc; characteristic^ of hardware such as number of heads, cylinders, 

sectors of harddisk and locations of bad sectors therein; version number of operation 

predict 

system software and physical position of a particular software' including the central 

) T 
r 

program in the harddisk; by skills well known to those in the art. For instance, the 
running speed can be determined by y ^nd' causing the computer to execute a test 
program and initializing a hardware counter to measure the time the computer has 
taken to finish' the program. For another instance, the version number of the operation 
system may be determined by using a particular DOS servicer 

The result of the determination and a status information' of ^ being initialized is 
being stored by the AC program in a predetermined part of the central program^in the 
form of encrypted data. Thereafter, everytime when the central program is executed, it 
will first check the status information, and after ejewfemin^ that it is being initialized, it 

will perform a job as requested, re f erred -to item l{ and in addition thereto, it will also 

be d 

automatically cause the AC program to'execute which will determine? at least a part of 
the above/ hardware and software configuration' of the computer, at a time, and the AC 
program will encrypt an indication' in another predetermined part of the central 
program for causing the ES program not to operate, if any' of the configuration/^^ 3 ^^ 
determined is not identical to' that it encrypted and stored previously. 

In addition thereto, the AC program will also reset the encrypted status 

U)/k2A 

information so that another initialization process will automatically take place if 'the 

user causes the central program to be executed, for- which another encrypted command 

from the central computer will be required;"" 

d& Jfrm Sou* f &&aL &f ol^r u^ara) 

This'prevents a user'deliberately adapt? Tthe-program to ot he r user ' s computer,/ 

after closing his account. 

In addition, the encrypted command from the central computer may 

alternatively be supplied to the user via, eg., 1 telephone line, and teiftg^ente^red into the 

user computer by the user. Specifically, to request for a encrypted command, the AC 



todw^s 1Ui**d* £ tit 
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ptogram generates a random number which is being 3upp tt c d- to the central computer 
by the use r by means of telephone dual tone signals, generated by entering the random 
number on a telephone keypad, through /telephone line£ and after encrypting the 
random number, the central computer sends the result to the user via the same 
telephone line by means of a voice synthesizer. 



5) Other Embodiments 

According to the second embodiment, the ES program is separate from the 
central program which comprises the EI a nd AC pro gram. The ES program is bound 
withlthe EI program by requiring the ES program to operate only when the EI 
program is present on the same computer. Specifically, the ES program when running, 
can cause the EI program to be executed for generating an encrypted identity for the 
ES program to authenticate. The EI program knows that this is a request for encrypted 
identity from the ES program, not a request from user for encrypted identity for 
accessing ^fcentral computer, by the technique of input parameter as mentioned above."" ^ ^ 

Further, the EI program before sending the encrypted identity to the ES 

program, may first check the data integrity of itself by, for instance, checksum 

method. Alternatively, it may also be that the ES program performs the checking. And, 

if the checking result is that some data in the EI program being alterec^ Theft, in the 

former case, the ES will be caused to' not operable by the EI program by not sending it 
fat *>e 
p encrypted identity, and in the latter case, the ES program will caused to'not operable 

by itself. 

According to the third embodiment, the encryption algorithms Al and A2 that 

an. 

the EI and ES programs use respectively for providing encrypted identity to the central 

OufoaSl ti$e pf<z-Co ftto&e product ^ 
computer and for generating encrypted commands to enable running software 

respectively, is a same algorithm. 

Thus, it would be equivalent for a rightful user to copy his EI program to 

someone else if he copies his ES program to someone else. In this case, a slight 



^nodification on the ES program can make it ^operate in the same manner as- the EI 
program/ which involves adding a simply: interface program for receiving a random 
number from a central computer, feeding the random number into the ES program, 
receiving the enefytion 'result from the ES program and supplying the e,nr:rytiofl Result 
to the central computer, and such functions are commonly found in any network 
interface software. 

In addition, according to another embodiment of the present invention, the 

products £^ 

software 'and ES program for use on a particular user's computed includes an identity 

ib 

of its rightful user, so as fer v facilitate^ legal action against piracy. Further, the ES 

program^ access«SySoftware( by using a particular DOS service'' for loading a program $W6Wffzmc£ 

each of fa A™ haddiit & PAH 

from harddisk to RAM, stored in the computer onwhich it runs for, such an identity 

therein, if any software is found to have an identity not identical to that of the ES 

program, the ES program will inhibit use of all software 'under its control, including 

itself, on the computer. Such identities may be stored in a predetermined location of 

the software^ and is protected from being altered by having an encrypted one stored in 

products eOiCh of flm ><sr dffawrL 

another location in each software! and sakl'another location^ riiffcrs tn each anothe r in 
prvckct$> 

different software ' so that it would not discovered and altered. And, each such 

prdtuat 

software{ when executed, will automatically check the unencrypted identity stored 

(MoHftiofi te&ttof Wl CtnSfowt predict 

therein against the' encrypted one, if they are not identical, the software' will fail to 

operate. The identity or encrypted identity of the rightful user being included into each 

product S 

sxt€ of the software' by the central computer at the time when the central computer is 
to supply the same to the user computer. Further, to prevent the ES program %o^?0 
'( mistakenly regard' a software' which stored in the computer and which being not 

product Ce/nf>ttie r 

supplied from the central computer, be a software' under its control, the central may 

asotfor 4#cA product, 

•flirts include d information in ^'predetermined location of the software r for indicating this 

tfat r *,-o(£ ^ojfu^e prvdict be)n$ <&fpti&i {hm iit <^7nUfr0p u ~& r j 

fact' to the ES program and each one of the - software jwill not operate if when being 
executed, it finds fhei information therein being altered. 



